Operational Defect Database
BugZero found this defect 321 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 1311601
JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP APM
Affected releases:
15.1.9
15.1.9.1
15.1.10
15.1.10.2
15.1.10.3
15.1.10.4
16.1.2
16.1.2.1
16.1.2.2
16.1.3
16.1.3.1
16.1.3.2
Fixed releases:
No fixed releases provided.
Description:
Bug ID 1311601: JWT is corrupted when the claim value is a custom variable assigned in the Variable assign agent ... Last Modified: Apr 26, 2024 ... OAuth bearer SSO is configured with "generate JWT", and the JWT includes claims which take "custom variable" as claim value and string as claim type. ... The JWT is corrupted where the custom variable is populated in Variable assign agent in the VPE, for some values of custom variable, for example, <'Some long garbage string in the Custom Variable'.> ... Impact ... The JWT token with garbage is added, which later leads to failure of token validation causing failures in accessing applications. ... Conditions ... Workaround ... As insecure custom variable is added and returned to variable assign agent. ... Add the custom variable as a normal string in claim value and claim type as string instead of adding to the Variable assign agent. ... Fix Information
